Cyber threat intelligence sharing: Survey and research directions

Wagner, Thomas D.; Mahbub, Khaled; Palomar, Esther; Abdallah, Ali E.

doi:10.1016/j.cose.2019.101589

Cited by 174 publications

(124 citation statements)

References 65 publications

Supporting

Mentioning

121

Contrasting

Unclassified

Order By: Relevance

“…Although mainly concerned with STIX 1.x as a solution for sharing CTI, Serrano, et al [23] highlighted several areas of importance in the context of CTI sharing. These include the legal and privacy implications in sharing CTI across borders and jurisdictions (also the focus in [24] and [25]), which have recently received great attention due to the general data protection regulation (GDPR), the requirement of a critical mass for CTI sharing sources that characterises its effectiveness, along with the belief that the main impediment to security data sharing is the lack of a suitable platform that addresses the issues of formats and legal boundaries for CTI data. Practices in sharing CTI were also studied in [26], where the results obtained from an online survey were used to classify potential barriers (and benefits) into areas such as operational, organisational, economic and policy; the quality and accuracy of CTI; the risk of privacy violation; the redundancy/relevancy of CTI; and the infrastructure costs were identified as the primary barriers.…”

Section: Related Workmentioning

confidence: 99%

A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages

2020

View full text Add to dashboard Cite

The sharing of cyber-threat intelligence is an essential part of multi-layered tools used to protect systems and organisations from various threats. Structured standards, such as STIX, TAXII and CybOX, were introduced to provide a common means of sharing cyber-threat intelligence and have been subsequently much-heralded as the de facto industry standards. In this paper, we investigate the landscape of the available formats and languages, along with the publicly available sources of threat feeds, how these are implemented and their suitability for providing rich cyber-threat intelligence. We also analyse at a sample of cyber-threat intelligence feeds, the type of data they provide and the issues found in aggregating and sharing the data. Moreover, the type of data supported by various formats and languages is correlated with the data needs for several use cases related to typical security operations. The main conclusions drawn by our analysis suggest that many of the standards have a poor level of adoption and implementation, with providers opting for custom or traditional simple formats.

show abstract

Section: Related Workmentioning

confidence: 99%

A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages

2020

View full text Add to dashboard Cite

show abstract

“…In this context, Liu et al [10] showed that a lack of incentives can even prevent the exchange process from happening. In addition to this, Wagner et al [11] pointed out the risks that are associated with sharing CTI, which in turn may prevent companies from participating in the exchange, which in the worst case can even lead to the information exchanged being used to attack participants in the exchange.…”

Section: Related Workmentioning

confidence: 99%

“…The source code for the prototype can be downloaded at the project repository. 10 A live version of the DApp is available online, 11 and the deployed EOS contract can be inspected on the EOS Kylin testnet. 12…”

Section: Application Prototypementioning

confidence: 99%

DEALER: decentralized incentives for threat intelligence reporting and exchange

Menges

Putz

Pernul

2020

Int. J. Inf. Secur.

View full text Add to dashboard Cite

The exchange of threat intelligence information can make a significant contribution to improving IT security in companies and has become increasingly important in recent years. However, such an exchange also entails costs and risks, preventing many companies from participating. In addition, since legal reporting requirements were introduced in various countries, certain requirements must be taken into account in the exchange process. However, existing exchange platforms neither offer incentives to participate in the exchange process, nor fulfill requirements resulting from reporting obligations. With this work, we present a decentralized platform for the exchange of threat intelligence information. The platform supports the fulfillment of legal reporting obligations for security incidents and provides additional incentives for information exchange between the parties involved. We evaluate the platform by implementing it based on the EOS blockchain and IPFS distributed hash table. The prototype and cost measurements demonstrate the feasibility and cost-efficiency of our concept.

show abstract

“…ere are multiple recent surveys [3,8] that review the current state of the art on cyber threat intelligence (CTI) sharing, defining associated benefits and barriers [9]. ese works highlight that security, trustworthiness, provenance, and privacy issues are still open research challenges in CTI sharing, in the sense that they have not been holistically addressed in the literature.…”

Section: Related Workmentioning

confidence: 99%

Distributed Security Framework for Reliable Threat Intelligence Sharing

Preuveneers

Joosen

Bernabé

et al. 2020

Security and Communication Networks

View full text Add to dashboard Cite

Computer security incident response teams typically rely on threat intelligence platforms for information about sightings of cyber threat events and indicators of compromise. Other security building blocks, such as Network Intrusion Detection Systems, can leverage the information to prevent malicious adversaries from spreading malware across critical infrastructures. The effectiveness of threat intelligence platforms heavily depends on the willingness to share among organizations and the responsible use of sensitive information that may potentially harm the reputation of the reporting organization. The challenge that we address is the lack of trust in the source providing the threat intelligence and the information itself. We enhance our security framework TATIS—offering fine-grained protection for threat intelligence platform APIs—with distributed ledger capabilities to enable reliable and trustworthy threat intelligence sharing with the ability to audit the provenance of threat intelligence. We have implemented and evaluated the feasibility of our distributed framework on top of the Malware Information Sharing Platform (MISP) solution, and we evaluate the performance impact using real-world open-source threat intelligence feeds.

show abstract

Cyber threat intelligence sharing: Survey and research directions

Cited by 174 publications

References 65 publications

A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages

A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages

DEALER: decentralized incentives for threat intelligence reporting and exchange

Distributed Security Framework for Reliable Threat Intelligence Sharing

Contact Info

Product

Resources

About